Validation of mobile app and cloud servers for data security

[racglobal]

Hello everyone,

To ensure the mobile app is securely downloaded from an app store such as Google Play or Apple store, how can a team validate the download is secure from Google Cloud servers? How can these cloud servers be validated? Is it assumed that because it's Google, the download must be secure? Thanks.

 

[Jen Kirley]

I have no idea, so I asked my IT Director husband. His response: "Google Play and Android apps are not validated by these companies, but Apple validates its apps before making them available."

These apps are publicly contributed and the hosts take no responsibility for them. I would worry more about the app than the cloud servers; reviews can give solid hints. Google is known for pulling apps that get really bad reviews. This is, of course after the fact... the security of your own internet provider and your networks' visibility to others is a different topic altogether.

Therefore, if you want to ensure an Android or Google app is secure, you should first download it onto a segregated unit or drive, test it and then deploy it.

I hope this helps!

 

[Marc]

Jennifer is correct, but... 1st: I'M NOT A SECURITY SPECIALIST. Hopefully someone who is can help with specifics with this one.

There are two aspects here that I can think of off hand:

1. Security in the sense that whether the app its self is "secure" in how it works (such as no data leaks), and
2. Security in that there is no MITM (man in the middle) or other data corruption issue that can in any way alter a file (which an "app" is).

Let's say you are just downloading an app. If the app provider provides a checksum for the app, you can verify whether or not the content of the app is exactly what is is supposed to be.
Also see: How to verify the checksum of a downloaded file (pgp, sha, etc.)? for some thoughts.
Microsoft's helper: Download Microsoft File Checksum Integrity Verifier from Official Microsoft Download Center
Windows 10's Built In checker: What Is a Checksum (and Why Should You Care)?

But remember, checksums are somewhat analogous to filesystem "fingerprints"- no two should ever be alike, and any modification to the file should change the checksum. But checksums are unsuitable for any kind of security work:

CRCs cannot be safely relied upon to verify data integrity (that no changes whatsoever have occurred), since it's extremely easy to intentionally change data without modifying its CRC. ​

That's probably because CRC is a simple algorithm designed for speed - not security. A checksum is really just a specific kind of hash. Steve Friedl's Illustrated Guide to Cryptographic Hashes is an excellent, highly visual introduction to the more general theory behind hashing.

NOTE: If the app was not coded well, or if the coder intentionally puts in malicious code, a check sum is useless.​

Now as to the "app" its self. As per Jennifer's husband's response: This is the type of thing that pops up several times a year (or so it seems: 22 apps with 2 million+ Google Play downloads had a malicious backdoor and Google Play apps with as many as 2.6m downloads added devices to botnet are two examples - Now, these are apps available to the public. If you are thinking of making/coding an app and posting it somewhere to be downloaded by specific people this shouldn't be an issue.

NOTE: While Apple is quite good, Apple has also found and withdrawn malicious apps - For example, Apple Lists Top 25 Apps Compromised by XcodeGhost Malware and More malicious apps found in Mac App Store that are stealing user data​

​

I am adding to @Jen Kirley 's response to make clear that validation of software, which "apps" are, you need a security specialist. There are quite a few potential security issues that have to be considered.

 

[Ed Panek]

We use iOS applications but it uses BLE to communicate with our device. BLUETOOTH SPECIFICATION Version 4.2 discusses the redundancy checks inherent in the BLE specification. That is, in order for the device to work it has to verify the checksum of each packet - that's 100% inspection. From our devices perspective, it is promiscuous and just transmits data without any HIPAA information. I have never been asked about this during an FDA audit or 13485 audits.

Technology is changing all the time. If a hospital changes out their routers or ATT repairs a 4G antennae we dont have to revalidate even though the antennae may be new (if we were using that method). We rely upon the specification to control it. Apple and Android have tight controls over application updates, etc. We regularly validate each new iOS sw update that it works. New router firmware at hospitals? No.